AI called this Malicious at 98.0% confidence as Malware with low false-positive risk.
Evidence for block
- `package.json` runs `node setup.js` via `postinstall`.
- `setup.js` collects nearly all process environment variables during install.
- `setup.js` reads backend configuration from env, project `package.json`, `.crypto-config.json`, or `.env`.
- `setup.js` POSTs a formatted dump of captured variables and CI metadata to that backend.
- `index.js` repeats collection and transmission automatically on module import.
- `README.md` documents a different package name and omits automatic network export.
Evidence against
- No hard-coded external endpoint is present; the destination is configuration-controlled.
- No filesystem writes, shell execution, payload download, or persistence code was found.
Behavioral surface
SourceEnvironmentVarsFilesystemNetwork
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 11.0 KB of source